Skip to main content

Azure Compute Gallery EUVDEUVD-2026-31516

| CVE-2026-26147 HIGH
Improper Input Validation (CWE-20)
2026-05-22 microsoft GHSA-jp7v-xgrx-wqjf
7.7
CVSS 3.1 · NVD
Temporal: 6.7
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CIRCL (temporal)
6.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:48 vuln.today

DescriptionCVE.org

Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.

AnalysisAI

Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.

Technical ContextAI

Azure Compute Gallery (formerly Shared Image Gallery) is a Microsoft Azure service for managing, sharing, and replicating VM images, application packages, and other compute artifacts across subscriptions and regions; the affected CPE points specifically at Azure Stack HCI integration, the hybrid on-premises Azure platform that consumes gallery artifacts. CWE-20 (Improper Input Validation) at the gallery's network-facing interface means user-supplied parameters are not validated rigorously before being used to resolve or return resource data, enabling an authorized caller to coax the service into emitting information from contexts it should not have access to. The CVSS Scope:Changed designation reinforces that the impact crosses the vulnerable component's authorization boundary - typical of multi-tenant cloud control-plane bugs.

RemediationAI

Patch available per vendor advisory - apply the Microsoft update referenced in MSRC at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26147 to remediate. For Azure Compute Gallery itself, Microsoft typically mitigates server-side without customer action; for Azure Stack HCI deployments, apply the corresponding cumulative or security update package as detailed in the MSRC entry. As compensating controls until patching is complete, restrict gallery-related RBAC roles (Compute Gallery Sharing Admin, Reader on gallery resources) to the minimum set of principals, audit recent gallery API calls via Azure Activity Log for anomalous read patterns, and require Conditional Access / MFA on identities that hold any gallery permissions - the trade-off is tighter operational friction for legitimate image-publishing workflows.

Share

EUVD-2026-31516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy